Designing Backups for Data Privacy and Ransomware

Two external factors are forcing organizations to rethink their backup process and how they store backup data. The first is the ever-increasing threat of ransomware, which encrypts production data forcing the customer to pay for a “key” to decrypt it. The second is data protection and privacy regulations like the European Union’s (EU) General Data Protection Regulation (GDPR). The EU isn’t unique in passing regulations like GDPR. The state of California just passed the California Consumer Privacy Act which is similar to GDPR in many ways. Other states and even the federal government are considering similar legislation.

These two external factors, ransomware and data privacy regulations, directly impact the data protection process. In many ways, they force the organization to “up their game” regarding protection, retention, and recovery. In other ways, they force the organization to organize data protection better, so they can comply with various aspects of data privacy requirements.

Data protection, historically, is a complicated mess. The new threats facing the data center forces much more frequent data protection events. If backup vendors don’t reduce complexity, then IT drowns in the process. The first step in meeting the challenges of threats like ransomware and regulations like GDPR is to simplify the backup process so IT can protect data consistently and reliably. Protection solutions need to change from a job-focused protection mindset to a service level protection mindset. Instead of indicating that the backup job runs at Noon, 2:00 pm and 4:00 pm, IT should only have to indicate the recovery point objective for a dataset or application. The time-based job schedule becomes, “make sure if I need to recover this dataset, I only lose two hours of information.”

Another step in meeting these new threats and challenges is to secure the backup itself. Ransomware, in particular, poses a threat to the data that backup systems store. The malware can accidentally or by design, find the backup system data files and encrypt them. In fact, in an increasing number of cases, ransomware now specifically targets backup data first.

Most vendors point to the importance of an “air-gapped” copy of data as protection. The problem is that newer malware strains are not executing their encryption process the moment they infiltrate the organization’s servers. Instead, the malware sits idle for a time, allowing it to get backed up repeatedly. As a result of the time delay, the backup process copies the malware file to multiple backup versions no matter where it stores the backup; disk, tape, or cloud.

The answer to this problem is to set the backup data to read-only, so it is immutable. Further, the solution needs to make sure that an external client can’t access the data, and that data can only be removed from within the backup system or through a normal backup aging process. In addition to a read-only status, the backup solution needs to provide granular visibility into the backups, so IT can detect and remove the malware file before recovering data.

The immutability and granular recovery will also enable the organization to meet the most challenging part of data privacy regulations; “the right to be forgotten.” Most data privacy regulations stipulate that a user can request organizations to remove all of the user’s data from the organization’s storage. While case law is still needed to determine the full scope of complying with the request, one can assume that data in backups requires proper management so that restoring data does not also restore a “forgotten” users’ data. The right to be forgotten component of data privacy laws means being able to remove specific components of data from within a backup or using an isolated recovery method to remove the user’s data before moving the rest of the data back into production.

Conclusion

Ransomware and Data Privacy are just two examples of potential new threats and regulations that are on the horizon that IT needs to tackle. It is difficult to predict what new concerns will present themselves in the next year let alone the next five years. Ensuring the data protection architecture meets whatever challenge appears, requires the solution be easy to use, easy to adapt and provide insight into the data it is protecting.

Sponsored by Rubrik

Sign up for our Newsletter. Get updates on our latest articles and webinars, plus EXCLUSIVE subscriber only content.

Twelve years ago George Crump founded Storage Switzerland with one simple goal; to educate IT professionals about all aspects of data center storage. He is the primary contributor to Storage Switzerland and is a heavily sought after public speaker. With over 25 years of experience designing storage solutions for data centers across the US, he has seen the birth of such technologies as RAID, NAS and SAN, Virtualization, Cloud and Enterprise Flash. Prior to founding Storage Switzerland he was CTO at one of the nation's largest storage integrators where he was in charge of technology testing, integration and product selection.

Tagged with: , , , , , , , , , , ,
Posted in Blog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 21,950 other followers

Blog Stats
  • 1,323,312 views
%d bloggers like this: